Both federal and state regulators have expanded their campaigns against companies that fail to secure customer data or fail to advise consumers when breaches of information security have occurred. The new enforcement strategy, which targets companies that have given no assurances to consumers about information protection, is signaled by enforcement actions recently announced by the Federal Trade Commission ("FTC" or "Commission") and the Ohio Attorney General.
The BJ’s Case
On June 16, 2005, the FTC announced its proposed settlement of an enforcement action against BJ’s Wholesale Club, Inc. ("BJ’s"). According to the FTC, BJ’s had committed unfair acts and practices when it failed to implement reasonable procedures to protect its customers’ credit and debit card information. BJ’s apparently had transmitted and stored this information in unencrypted form, using computer networks that could be accessed by means of default passwords and insecure wireless connections, with the result that several millions of dollars were fraudulently charged to customers’ accounts. BJ’s has not admitted wrongdoing, but the parties have agreed to a consent decree that will subject BJ’s to federal oversight of its information security practices for the next 20 years.
Given the apparent laxity of BJ’s security practices, the Commission’s decision to bring an enforcement action is not surprising. What is noteworthy is that for the first time, the FTC has acted against a company that gave no assurances to the public concerning its handling of customer information. After the BJ’s case, companies that say nothing about their data security practices are just as vulnerable to enforcement actions as those that do. This marks an aggressive shift in the FTC’s enforcement strategy and raises the bar for companies that store and handle customer information.
The Facts: the BJ’s Network
As described in the FTC’s complaint, each of the 150 stores operated by BJ’s collected credit card and debit card information when customers "swiped" their cards at check-out counters. That information was transmitted to an in-store computer, which sent authorization requests to the banks that issued the cards. The authorization requests went first to the company’s central data center, then to the issuing banks. The banks’ responses to the authorization requests reached the originating checkout counters by traveling the same route in reverse. After the transactions were complete, the customers’ credit card information was kept in the in-store computers for as long as 30 days.
Unfortunately, all of this credit card information was transmitted and stored in unencrypted form, and the in-store computers could be accessed by anyone with knowledge of common default user ids and passwords. To make the system even more vulnerable, the stores used unencrypted, wireless "Wi-Fi" systems to connect the on-premises computers with inventory scanning devices located throughout the stores. With this system, any "war walker" passing by a BJ’s store presumably could piggyback on the WiFi connection, enter a default user id and password, and pick off credit card information from the in-store computer at will. Not surprisingly, shoppers at BJ’s stores were victimized by fraudulent purchases made with counterfeit copies of their credit and debit cards. In many cases, customers were unable to use their accounts until new cards were issued.
The Fallout: The FTC Complaint and Consent Decree
The FTC complaint alleged that BJ’s did not employ reasonable and appropriate measures to secure personal information collected at its stores, and that those failures constituted unfair acts and practices that harmed consumers. Specifically, the FTC alleged that BJ’s:
Failed to encrypt personal information of its customers while in transit or when stored on the in-store computer networks;
- Stored personal information in files that could be accessed anonymously;
- Failed to use readily available security measures to limit access to its computer networks through wireless access points on the networks;
- Failed to employ sufficient measures to detect unauthorized access or conduct security investigations; and
- Created unnecessary risks to the consumers’ personal information by storing it for up to 30 days when it no longer had a business need to keep the information.
In response to the complaint, the FTC issued a proposed consent order to be placed on the public record for 30 days. The consent order requires BJ’s to establish, implement and maintain a comprehensive security program that is reasonably designed to protect the security, confidentiality and integrity of personal information collected from or about consumers. BJ’s information security program must include:
Designation of employee(s) to coordinate and be accountable for the information security program;
- Identification of material internal and external risks to the security, confidentiality and integrity of personal information that could result in the unauthorized disclosure or other compromise of the information, and assessment of the sufficiency of any safeguards in place to control the risks; and
- Design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems and procedures.
The consent order also requires BJ’s to obtain an assessment and report biennially for 20 years, which, among other things, sets forth the specific administrative, technical and physical safeguards that BJ’s has implemented and maintained during the reporting period, explains how the safeguards are appropriate and certifies that BJ’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality and integrity of personal information is protected.
The Future: The "Unfairness" Era of Information Security Enforcement Dawns
Until its recent action against BJ’s, the FTC had based its data security enforcement efforts on its authority to regulate "deceptive," rather than "unfair," acts and practices.1 Under this approach, when the FTC suspects that a company has not secured customer data in ways acceptable to the Commission, the FTC must find that the company has made a representation about data security that the facts show to be false.
Some of these efforts are rather strained. In the Commission’s 2002 Eli Lilly case, for example, the target company had given a general assurance that it had "security measures in place . . . to protect the confidentiality of [user] information" and "respect[ed] the privacy of visitors to its Web sites . . ."2 The company’s only specific claim was that it used "standard secure socket layer encryption" to protect information provided to its Web site. When an Eli Lilly employee inadvertently disclosed the email addresses of subscribers to an antidepressant users’ notification service, the Commission decided that these commitments were violated. The Commission did not allege that Eli Lilly had no "security measures in place . . . to protect the confidentiality of user information," or that Eli Lilly lacked "respect [for] the privacy of visitors to its Web sites . . ." Neither did the Commission claim that Eli Lilly’s one specific reference to a data protection measure – its claim to use secure socket layer encryption – was false. Instead, the Commission alleged that some or all of these assurances were belied by defective training of Eli Lilly’s personnel and failure to "pretest the [email program] internally" before the offending message was sent. This and other enforcement actions suggested that the FTC might use any statement about data security, no matter how general or distant from the problem at issue, as the basis for a deception claim.3
As powerful as the deception theory was, FTC officials began to express frustration that a company might avoid such claims simply by saying nothing about its information security practices.4 At least a year before the BJ’s decree was announced, the FTC warned that an information security practice could also be "unfair."5 On this theory, the FTC need only show that a company’s information security practices: (1) cause or are likely to cause substantial injury to consumers; (2) that the harm to consumers is not reasonably avoidable by consumers themselves and (3) that the harm is not outweighed by countervailing benefits to consumers or to competition.6
This test was easily satisfied by the facts of the BJ’s case. There is no question that consumers were harmed when their debit and credit card data were stolen; and it is hard to imagine how, except by avoiding BJ’s altogether or doing business there only in cash, consumers could have prevented the harm by their own efforts. It also is hard to imagine how failure to implement common security measures, such as assignment of non-default user ids and passwords, provided countervailing benefits to consumers or to competition. However, the unfairness doctrine will not be an easy fit with the facts of all data security cases.
Consider, for example, the need to prove that the challenged conduct caused, or was likely to cause, substantial harm to consumers. The BJ’s case involved actual harm of a substantial and tangible character, but many data security incidents and failures cause only potential or intangible injury to consumers. Even if the Commission limits itself to security weaknesses that threaten substantial financial loss, its task will not be easy. Deciding whether a network vulnerability is likely to result in consumer injury requires an understanding of the technical nature of the vulnerability, the likelihood of discovery of that vulnerability by unauthorized persons, and the further likelihood that persons armed with that discovery will succeed in securing and using personal information in a way that causes tangible harm. Historically, the FTC’s consumer protection cases have not required anything like this level of technical knowledge or analysis7
Similarly, it may be difficult in many cases to determine whether a potential harm is reasonably avoidable by consumers or is offset by countervailing benefits. If a consumer can protect his or her data by downloading firewalls or taking other technical measures, how well-publicized and user-friendly must those products be in order to make the potential harm "reasonably avoidable" by the consumer? If implementation of a particular security measure will make a product cumbersome or costly to use, how will the Commission decide when avoidance of those burdens constitutes a countervailing benefit sufficient to justify the risk of not implementing the measure? This is another analysis for which the Commission’s past unfairness claims offer little guidance.8
Because application of the unfairness test will be so difficult in a field as technical and volatile as data security, the Commission likely will prefer the "low-hanging fruit" of companies that court obvious risks of substantial harm by failing to implement simple, readily-available security measures. If more challenging cases are brought, those probably will be prompted by large-scale, highly-publicized losses of customer information. Companies suffering the embarrassment of such incidents will rarely be in a mood to reject consent decrees, however weak the Commission’s case might be on the merits.
The States Weigh in: the DSW Case
Although the FTC is the nation’s primary consumer protection agency, the states also have consumer protection laws and have not hesitated to bring their own enforcement actions in cases involving privacy and data security.9 On June 6, 2005, the Ohio Attorney General announced that DSW, Inc. ("DSW"), a retailer of shoes, had committed an "unfair or deceptive act or practice" under Ohio law when it failed to notify all affected consumers of a theft of personal information concerning transactions made by means of checking accounts, credit cards and debit cards.10 Although the complaint alleged that this failure was both deceptive and unfair, there is no allegation that DSW had made any commitments to consumers concerning notification of data security incidents. Accordingly, the Attorney General’s complaint is effectively an unfairness action, and appears to signal the willingness of at least some states to act, as the FTC has acted in the BJ’s case, against companies that have given no assurances concerning their security or notification practices.
Conclusion
Companies that store and protect consumer information should continue to ensure that their security practices are consistent with representations made in their privacy policies, advertising and other public statements. In light of the actions against BJ’s and DSW, however, no company should assume that care in crafting its published policies, or a decision not to commit to such policies, will save its information protection practices from scrutiny. All companies should conduct risk assessments, develop and implement information protection policies, and train their personnel thoroughly in their responsibilities for the acquisition, storage, transmission and disposal of customer information.
Footnotes:
1. For a summary of the "deception" cases as of April, 2003, see C. Kennedy and J. Warrington "Regulators Are Watching Your Data Security," Privacy and Information Law Report (Glasser Legal Works, Sep. 2003).
2. Eli Lilly and Co., Docket No. C-4047 (May 8, 2002); see http://www.ftc.gov/opa/2002/01/elililly.htm.
3. See In the Matter of MTS, Inc., d/b/a Tower Records/Books/Video, File No. 032-3209 (Federal Trade Commission Apr. 21, 2004); but see In the Matter of Microsoft Corp., File No. 012-3240 (Federal Trade Commission 2002) (involving specific representations concerning superiority of one service’s security to that of other services).
4. "FTC Moves on Breaches, Privacy Policy Changes," Washington Internet Daily (June 14, 2004); Prepared Statement of the Federal Trade Commission before the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census (Apr. 21, 2004); "Lax Security Could Bring FTC Enforcement under ‘Unfair’ Practices Section of FTC Act, BNA Privacy Law Watch (May 26, 2004).
5. Id.
6. 15 U.S.C. § 45(a).
7. In most of the Commission’s unfairness actions, the alleged injury consisted of a tangible harm that was obvious and inherent in the challenged practice. For example, typical unfairness complaints have alleged delays in mailing promised rebates, wrongful collection of consumer debts that had been discharged in bankruptcy, adding of unauthorized charges to credit cards and failing to honor repair contracts. Each of those practices imposed direct, completed harmful effects, usually in the form of financial loss, rather than mere risk of such harmful effects. No weighing of probabilities was required.
8. The Commission is accustomed to dealing with practices that involve some deception or failure to make a material disclosure that could have been made at very little cost, and where offsetting benefits were therefore unlikely: for example, ratings on insulation and disclosure of credit card charges. Where we are talking about implementation of technical and administrative measures that are indisputably expensive and may or may not make the product more cumbersome to use, a more difficult analysis is required.
9. See, e.g., In the Matter of Ziff Davis Media Inc., Assurance of Discontinuance effective Aug. 28, 2002 (Office of New York State Attorney General, www.oag.ny/us).
10. State of Ohio v. DSW, Inc., Case No. 05CVH06-6128 (Complaint for Declaratory Judgment, Court of Common Pleas, Franklin County, Ohio, June 6, 2005); Press Release of Attorney General Jim Petro at http://www.ag.state.oh.us/press_releases/2005/pr20050606.htm.
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved